OpenVPN

Introduction

One of the most important tools for working on-the-go is being able to connect to your office via the Interweb in a secure manner. I’m talking about VPN (Virtual Private Network). There are many services out (paid and free) there, but I wanted something that was worked in a point-to-point manor and that allowed me to appear to be connected to be physically connected to the (remote) LAN. for this I turned to OpenVPN.

OpenVPN is a free open source VPN implementation. I must admit that I’ve used it before and it worked great, but I’ve never setup an OpenVPN network before. In my attempt to actually implement a VPN network , using OpenVPN, I found the initial cryptography pretty straight forward when following the HOWTO guide but stumbled around quite a bit during the testing phase when I tried to access the remote/server LAN’s resources. The HOWTO documentation is quite fragmented and not very noob-friend. After much Googling and YouTubing, I finally worked out what the issue(s) were and managed to get the VPN working this morning.

What I hope to present here is my implementation and that it can be successfully repeated.

Before we begin, I found having a network diagram (courtesy of Gliffy) very usefully so I could visualise what was happening:

OpenVPN Server (Windows 7 Ultimate 64-bit)

Router (Billion BIPAC-7402G) set up as DHCP & DNS server and PPPoE with Pass-thru mode

WAN (MWeb 384kps ADSL)

OpenVPN Client (Windows Vista)

Prerequisites

Due to the nature of ADSL accounts, WAN IP addresses are dynamically allocated by the ISP which makes finding the office’s IP address a moving target. To managed this issue, we employ the use of a public (and free) DNS like DynDNS.

Create a free DynDNS hostname, something like mydomain.dyndns.org. You can plug that into your router (if it supports dynamic DNS updates) or download one of DynDNS’s clients.

Installing OpenVPN on the client and server

Download the Windows OpenVPN here (I used 2.1.4) and run the installer on both server and client.

Router configuration

By default, your [OpenVPN server-side] ADSL router is configured to disallow incoming connections. We will need to configure Port Forwarding on your router to allow your client to connect to the OpenVPN server behind it. As you’ll see from the client configuration file, client’s will connect to the server via port 443 (HTTPS) – I used this port because some corporate networks may only allow HTTP and HTTPS outgoing connection.

Network Connection Bridging

As explained previously bridge-mode allows VPN clients to connect to the server LAN and browse/operate as if they are on that LAN. This can be done as follows on the server:

Here we do some crypto black magic (you can read the specifics in the HOWTO). I’m going to present it here as per the HOWTO as simple as possible:

SERVER

CLIENT

Open the command prompt as Administrator

cd to C:\Program Files (x86)\OpenVPN\easy-rsa

run init-config

Edit the vars.bat file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL parameters (mandatory)

run vars.bat

run clean-all.bat

run build-ca.bat

The build-ca.bat script will generate the certificate authority (CA) certificate and key. During the generation process, you’ll be prompted for some info, most of them the default value can be used (just hit Enter). The only parameter that must be entered is COMMON NAME (e.g OpenVPN-CA).

Edit client.ovpn and ensure the cert and key parameters correctly refer to the client key files copied in the previous step.

Starting the Server

From the command line, start the OpenVPN server

openvpn “C:\Program Files (x86)\OpenVPN\config.server.ovpn”

A Windows Firewall warning may popup telling you that OpenVPN wants access to a port, select OK. (You may have to edit your firewall settings to allow inbound TCP & UDP connection).

Starting the Client

Double-click the OpenVPN GUI desktop icon to launch the gui in the system tray.

Right-click the icon and select Connect

Running the server as a service

By default, OpenVPN is installed as OpenVPN Service with the startup type set as Manual. To start OpenVPN automatically when the server starts up, set the startup type to Automatic. By default, the OpenVPN service will scan the OpenVPN/config directory for .ovpn files and start an instance for each. Ensure you only have server.ovpn in the ./config directory.